Venn Network Leads Rescue Campaign of Over $10 Million, Neutralizing a Sophisticated Backdoor in Thousands of DeFi Contracts, Suspected to be Orchestrated by Lazarus Group.
A large-scale and extremely sophisticated attack targeting smart contracts in the decentralized finance (DeFi) sector was successfully prevented through rapid coordination by security experts from Venn Network and other security organizations.
This 36-hour campaign neutralized a dangerous backdoor that could potentially cause over $10 million in damage and posed a serious threat to the entire DeFi ecosystem. Experts suspect this attack may be linked to the Lazarus hacker group, backed by the North Korean government.
The initial threat was discovered by Deeberiroz, an anonymous security researcher from Venn Network. The vulnerability appeared in ERC-1967 standard delegate contracts that were not fully configured. The attacker used "front-running" techniques – executing transactions before legal transactions are completed – to secretly insert malicious code into contracts during their initial deployment, before legal owners could configure these contracts.
Or Dadosh, co-founder of Venn Network, stated that this backdoor was designed so sophisticatedly that detection using conventional monitoring tools was nearly impossible. To address this, an alliance of security experts from Venn Network, Pcaversaccio, Dedaub, and Seal 911 secretly collaborated to review, assess, and assist affected protocols in transferring assets to newer, safer contracts.
Among the affected protocols, Berachain quickly suspended its reward contract and moved all assets to a new safe contract, confirming no damage occurred to user assets.
The sophistication, extensive scope, and deployment method of the attack led researchers to suspect the involvement of a professional cybercrime organization. David Benchimol, a security expert from Venn Network, noted that the attack was widely deployed across all EVM-compatible blockchains.
Mr. Benchimol also emphasized that the attackers are likely patiently waiting for an appropriate moment to target larger, more valuable objectives, a characteristic strategy of state-backed hacker groups like Lazarus.
Although no final conclusive evidence exists, the nature of the attack suggests that this threat is not limited to $10 million, but could directly threaten the Total Value Locked (TVL) of many DeFi protocols if not detected and addressed in a timely manner.
